Want To See How Easy It Is To Hack An Election?

from the have-a-look-see dept

It seems like every few months, well respected security researchers come out with yet another report about just how insecure various e-voting machines are. The amazing thing is how hard the various e-voting companies have fought against allowing these researchers to look at their machines, always insisting that the federal certification process (the one that's were later shown to have not done a very good job testing the machines) was fine. Of course, even the Government Accountability Office has admitted that the federal certification process sucks.

One of the complaints that the e-voting firms have had about having independent security researchers testing the machines is that those tests are not in real world conditions. In fact, we had a commenter from one of the e-voting companies who insisted that these independent tests were useless because:

The point people often miss, which is left off of the conspiracy blogs, is that all of these 'hacking' attempts that are requested are made to do so in some sort of vacuum. In some obscure room where a gang of hackers get together and try to penetrate the system with unlimited resources. In any election, paper or fully electronic, there are procedural and security measures taken that complement and supplement the security features of the system itself. This is in addition to internal and system-independent, pre- and post-election audit features.

That's really rather meaningless, because if it were true, then that info would also come out in those independent research reports. However, even that comment turns out to be untrue. As a few folks have submitted, some security researchers at UCSB have demonstrated not just how insecure Sequoia's e-voting systems are, but they've shown how easy it is to hack an election with a pair of videos that you can watch right here (if you're in the RSS feed, click through to see them):

What this shows is that the hack that the researchers shows demolishes that comment from the insider. All it required was for those wishing to change the results of the election to drop a USB key into the pile of USB keys used to set the system up. All of the security measures that the insider talks about are then bypassed with ease. The video shows it getting buy the procedural security measures, as well as the pre- and post-election audit features.

The video also shows why paper ballots are hardly a solution, as the second video shows how the malware included in the software can be set to void out legitimate votes and replace them with fake votes, in a variety of different scenarios, almost all of which are likely to go undetected. This is a hugely damning report -- and it comes against a company that has fought so hard against having its machines tested by independent security experts. While some may say that this shows why they didn't want it tested -- it should concern anyone who believes in free and fair democratic elections that we're using such insecure voting machines.

Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

uh what?

Since when were dems the corrupt ones and not both sides?

Man, wake up from your political vacuum.

Meanwhile, I believe it was Ohio or Florida that says that they are not going to change their voting machines regardless. Not that it matters anyway since electoral college decides the vote, not the people.

nice try, but the issue isn't partisan. the issue is whether voting machines are secure or not, and whether the American people should pay for technology that doesn't deliver what was promised and is needed---a transparent voting process. I'm an election judge in my county and we have procedures in place to make sure that everyone can trust the process. But no one can trust the machines if we can't see inside them.

please don't use knee jerk partisanship to subvert an important discussion

Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

Your comment is at least misleading. The implication is that there is no connection between individual votes and the electoral college, which is not true.

Yes, election success or failure depends on electoral votes, not the popular vote, and yes it is *possible* that electoral votes can be cast differently than the popular vote within the electoral college district. However, the hanging chads and other recounts would seem to defy that assertion. Individual votes *do* count and the people ultimately decide the electoral votes (at least given our current system and precedents).

Re: Re:

Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

What the desperate little coward is trying to say is that you should ignore the admitted problems that the shameful and absurd voting machine security flaws, because he wishes to distract you with a little game of immature "your mother" taunts based on whom he believes benefited or did not benefit.

I suggest the mature among us do not allow ourselves to be baited off-topic with immature and pointless diversionary tactics like this. The voting machines are in question, regardless of the winners of the elections. AFTER you address the inequities and known security lapses, THEN you follow who benefited and try to establish motive, scope and follow the trail to who should be held accountable for alleged illegal acts. I'm not saying there WAS any criminal culpability, but if there turns out to be (regardless of whom or how high reaching), rest assured I will be among the most vocal to seek the justice that this country's principals and reputation dictate.

Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

You're a complete douchebag. No one's even talking about cheating in the election, there was no claim that 'Republicans exploited these machines to win the election', although I'm not sure how G.W.B. could have been elected a SECOND time without some help...

This here is a non-biased, factual report, on the inadequacies of electronic voting machines. And you sir, again, are a complete douchebag.

Re: Re: Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

If you can't see that the security of the voting machines is without political affiliation, then you need to read the article again and again until you can present evidence to the contrary. This is an issue for every citizen of the United States, despite the immature accusatory rhetoric.

Oh no, Not again!

The public is not offered access to USB ports on the machines in question. The video shows someone who has full access to a machine and is able to access what ever they like. How are you going to drop a key file in the machine? By getting out your tools pulling the machine out of the voting booth, hooking up to the system, running your script, and then manipulating the results. They are not going to just let you pull apart a voting machine and do what ever you want.

So the arguement that paper is superior is ridiculous. If someone has full access to machine they would also have full access to the paper ballot and be able to switch out results as they see fit. This is just a scare tactic which is utilized in politics.

This is not an internet hack. Where someone 3 countries away can remote into the system and hack it. The network is entirely stand alone. And requires a hacker to get up close and personal with a machine. While it can be done. The chances of success are a gigantic longshot. If you want to play the odds game.. Your more and likely going to encounter fraud with paper ballots. Because any fool can swap out paper ballots. This hack requires some kind of a skill set. So your chances for fraud a greater for paper.

Re: Re:

Because the Republicans were already cheating (by whatever means) and didn't want to draw attention to the fact that they were. Plus since they have the Decider in Chief vetoing everything they don't like coming down the pipe it didn't matter. Wait until Republicans are not cheating AND the Dems have a President, Senate and House majority and then you'll see plenty of Republican whining...

Re: Re: Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

Dude, electronic voting machines weren't used before the 2000 election, so you really just sound like an ignorant ass by even mentioning Democrats. Nonny Moose had it right, but I can't help but let you know how completely stupid you look and sound right now.

Democrats haven't won an election since these were put in use, but let me be the first to tell you that after they win the upcoming election, there will be no less attention paid to the problem that is electronic voting machines.

2006 you say the dems won and we forgot about these problems... Again, words can't describe how stupid you sound. This is 2008 and we're reading an article about the same problem you said was dropped 2 years ago... The american people are complaining, not the democrats, and they have every reason to. There's absolutely no reason why something so critical couldn't be open sourced and examined for flaws, faults, bugs, and exploits by the whole world....

Re: Oh no, Not again!

The public is not offered access to USB ports on the machines in question

No one said they were. The report, rather clearly, noted that for the attack to work, all someone would need to do is get an infected USB drive into the collection of startup USB keys.

If you don't think it's possible for someone looking to hack an election to get access to wherever the keys are stored sometime in the days before the election, you are quite naive.

The video shows someone who has full access to a machine and is able to access what ever they like.

Actually, no, it doesn't. The only people who have full access to the machines are those who are election officials. The entire surreptitious part is just in getting an infected USB key into the pile of USB keys. That may not be easy for anyone to do, but it's absolutely possible.

How are you going to drop a key file in the machine? By getting out your tools pulling the machine out of the voting booth, hooking up to the system, running your script, and then manipulating the results. They are not going to just let you pull apart a voting machine and do what ever you want.

Clearly, you did not watch the video. The whole point is that the hacker DOES NOT need to do that. All they need to do is get the infected USB key into the pile of USB keys that the election officials have in their offices. That could be done by an intruder or, say, a corrupt election official.

So the arguement that paper is superior is ridiculous.

Only if you're lying about it. Which you appear to be.

So the arguement that paper is superior is ridiculous.

As if anyone claimed it was? My goodness.

And requires a hacker to get up close and personal with a machine.

No, it doesn't. You can repeat it over and over again, but it's false.

While it can be done. The chances of success are a gigantic longshot. If you want to play the odds game..

This isn't a random roll of the dice as you imply. As was clearly shown in the video -- though, apparently you missed it -- is that all you need is ONE corrupt official with access to the pile of USB keys or ONE intruder to drop the key in in a SECOND. You don't think that's possible?

Your more and likely going to encounter fraud with paper ballots.

Did you miss the post the other day? The difficulty of creating *massive* fraud with paper ballots is high. But something like this can create widespread fraud with just a split second of access -- and it's impossible to catch.

This hack requires some kind of a skill set.

Another misleading statement. Did anyone imply that it wouldn't be skilled people hacking the election?

Your comment makes little sense and is either willfully ignorant or deliberately misleading.

Re: Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

obviously the Dems complained the loudest when those questionable elections ended. The Reps were too busy planning a way F*CK the entire country over. God forbid we actually ensure that process on which our nation is built is executed properly in such a close election. Perhaps you should work on not being such a douche.

Voting machines weed out the undeserving plebes

First the Electoral College, now the voting machinese ensure that democracy is not marred by uneducated working masses. Democracy is for those in power and elections are the opiate of the masses. Vote for Big Oil and Credit Card companies and defense contractors--if you know what's good for you ignorant masses.

Re: Re: Oh no, Not again!

Your comment makes little sense and is either willfully ignorant or deliberately misleading.

Iam ignorant? I am misleading? Your whole arguement is based on a high security risk that these machines are going to hacked. But then you admit that it is not easy. Here lets use your own words to prove my point.

My Words: The video shows someone who has full access to a machine and is able to access what ever they like.

Your Words: Actually, no, it doesn't (ACTUALLY YES IT DOES.. GEEZ GET A CLUE). The only people who have full access to the machines are those who are election officials (Your now speaking about a live election process here. Not the hack on the video). The entire surreptitious part is just in getting an infected USB key into the pile of USB keys. That may not be easy for anyone to do, but it's absolutely possible (AGAIN I EMPHASIZE EVEN YOU ARE SAYING THAT IT IS NOT EASY FOR ANYONE TO DO..

My Words: So the arguement that paper is superior is ridiculous.

Your Words: As if anyone claimed it was? My goodness.

Well then whats your point!!!! Good Grief If electronic voting is superior why spend time knocking it!!!! Electornic Voting my not be perfect. But does it not makes sense to move to something superior?

Yeah, I am the ignorant one.. Get a clue. Your just arguing to argue. Your unable to recognize reason. I was simply making statement in much of my writing. I was not contradicting anyone.

I Said: This hack requires some kind of a skill set.

You Said: Another misleading statement. Did anyone imply that it wouldn't be skilled people hacking the election? (Misleading??? HOW IS IT MISLEADING WHEN YOU ADMIT THAT I AM TELLING THE TRUTH. OMG YOUR A TARD!!!!!!!!!!!!!!!!!!!!!!!

My Words:And requires a hacker to get up close and personal with a machine.

Your Words: No, it doesn't. You can repeat it over and over again, but it's false.

GOOD GRIEF YOUR JUST ALL AND OUT TELLING THE BIGGEST WHOPPER OF A LIE EVER! YOU CAN NOT REMOTE INTO THESE SYSTEMS AND HACK THEM. THATS WHAT THE GENERAL PUBLIC THINKS IS HAPPENING. HOW DO YOU DROP A KEY FILE IN THE MACHINE WITHOUT SOME KIND OF INSIDE SCAM GOING ON. YOU CANT.

How'd this get partisan?

Both sides have streams of lawyers ready to dispute anything in a close election. Historians have shown that Kennedy probably won the election due to dodgy votes in Chicago.
In Washington State, Rossi won the first two counts, and lost the last. There were reams of evidence of dead people voting, felons voting, ad naseum.

It really doesn't matter because both parties do something even worse- gerrymandering. That's the real problem, and only when that is addressed will voting matter.

There is no absolute secure method

If it's going to be electronic it's going to have flaws. There is no way around this. So what's the big deal.

Build a machine that takes the person votes, then prints out their vote, simply tell them to look at that paper and if it's correct then the paper goes into a second box.

If the electronic results are contested then count the paper votes, if they differ then the paper results win. Any fool that did not verify their paper results to be accurate has no grounds for arguing.

I Think It's Great What UCSB Is Doing

Don't you love it when students and researchers make it part of their studies to determine security vulnerabilities (especially with such important issues at stake).

The very fact that they can publish this information without being thrown in jail is a testament to how great civilized nations like the USA are.

Now that these vulnerabilities are out in the open, the people that make the initializing USB keys can somehow encrypt them or make them unique in some manner that will eliminate the possibility of accidentally using a compromised USB key. Maybe some type of unique, hard to reproduce holographic sticker/emblem with an RFID tag in it. Remember when there was the home run record being set by Bonds? They used special identifiers in each ball, so no one could falsely claim they had the record-setting ball, when they actually didn't.

As these security vulnerabilities are published, the people that established these procedures for setting up the machines can knock them down, one by one.

Fix it

I don't get all the ranting going back and forth here.

A person does this calibration thing right? So, there is an obviously a point of possible corruption. Also, there is the possibility of someone getting a usb key by an official that is not corrupt, as previously stated.

My personal opinion is that these things are too important to not be open to much more scrutiny. The more a system is banged on, the more likely you are to find possible exploits and fix them. But that part is at least debatable.

As for which party benefits? I don't think that had anything at all to do with the article, but if a voting machine is hacked, the voters didn't benefit. That should be the issue.

If there is going to be a debate about this, shouldn't it be on the best course of action to get voting machines to a trustworthy state and maintain them there.

Re: Re: Re: Oh no, Not again!

I have a clue. You, on the other hand, apparently do not. It does not "someone who has full access to a machine and is able to access what ever they like."

As the video clearly shows, the ONLY think those who want to distort the election need to do is get a USB key into the pool of USB keys used to begin the election process. At no time in the video did anyone other than an election official have access to the machine.

The entire surreptitious part is just in getting an infected USB key into the pile of USB keys. That may not be easy for anyone to do, but it's absolutely possible (AGAIN I EMPHASIZE EVEN YOU ARE SAYING THAT IT IS NOT EASY FOR ANYONE TO DO..

*sigh* Is it that hard to understand the difference here. The point is not that *anyone* can do this, but that there are many people who *could* do this. All you need to do is get the USB key into the pile. As we've explained, that's not very difficult.

Well then whats your point!!!! Good Grief If electronic voting is superior why spend time knocking it!!!! Electornic Voting my not be perfect. But does it not makes sense to move to something superior?

Um. We're not knocking the entire concept of e-voting, but pointing out the security flaws with the current implementation. Is it really that difficult to understand that it's possible to point out ways to improve the current system without trashing the entire concept?

Yeah, I am the ignorant one.. Get a clue. Your just arguing to argue. Your unable to recognize reason. I was simply making statement in much of my writing. I was not contradicting anyone.

Except that so far, you have been shown to be factually incorrect, and when called on it, repeated the outright falsehood that this hack requires folks to have full access to the machine. It does not.

Misleading??? HOW IS IT MISLEADING WHEN YOU ADMIT THAT I AM TELLING THE TRUTH. OMG YOUR A TARD!!!!!!!!!!!!!!!!!!!!!!!

Always nice to talk to someone who can express their opinions in a calm and refined manner.

Anyway, the way it is misleading is that you implied that because the system requires some skill to hack that means that it's not worth understanding the security vulnerability. That, on the face of it, is a troublesome statement. Just because there's a smaller group of people who can hack an election it doesn't mean this isn't a concern worth worrying about.

GOOD GRIEF YOUR JUST ALL AND OUT TELLING THE BIGGEST WHOPPER OF A LIE EVER! YOU CAN NOT REMOTE INTO THESE SYSTEMS AND HACK THEM. THATS WHAT THE GENERAL PUBLIC THINKS IS HAPPENING. HOW DO YOU DROP A KEY FILE IN THE MACHINE WITHOUT SOME KIND OF INSIDE SCAM GOING ON. YOU CANT.

No one ever said that you could "remote into these systems." What was said, and clearly demonstrated, was that you just needed to get a USB key into the pile. That does not require full access to the machine. It just requires access to the pile of USB keys that are used to initiate the election. And, as I said, that can easily be done by a single corrupt election official, or via a janitor, or via a breakin. All of which are perfectly reasonable scenarios.

You, on the other hand, falsely insisted that it required full access to the voting machines. That's simply untrue. Watch the video. The only time a "hacker" was involved was for about 2 seconds at the beginning when they dropped the USB key.

Re: Re: Re: Re: Oh no, Not again!

Good point, Mike. Let me see if I can recap.

The USB device could even be placed by a nefarious person at a polling place. In the 2000 and 2004 elections they had to bring in representatives from both Dem and Publican parties, create new precedents of counting "dimpled" "pregnant", or "hanging" chads. Another person mentioned sudden "findings" of thousands of mailed ballots in the WA Gubernatorial Election.

So new precedents of what counts as a vote were created even outside of the normal polling process. What I get out of the articles is that the process lacks chain of custody and this can easily be circumvented. If chain of custody isn't maintained, or incorrect counts occur, it causes chance of error. Anything less than 100% accuracy is unacceptable in an election.

Elections shouldn't be seen as the penny dish at your local convenience store. Maybe I am wrong here, but this should be a system of absolutes.

Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

Are you stupid? No, really, are you?

The talk about insecure voting machines is a year round discussion. For anyone in the security field, it is more than a discussion and goes well beyond partisan views.

Anyone making this out to be an issue of partisan has their priorities mixed up. The point, period, is that your vote could be compromised. I understand many people could care less, or that many people think it doesn't matter much due to the electoral college - but to many people, it is a big deal that their vote is counted, and counted correctly.

The party you belong too (if any) doesn't matter on an issue such as this. So please, stop making it out to be that way. It does nothing more than make you look ignorant and under educated. Rather than a political debate, I would rather see secure voting boxes.

My thoughts

I fail to understand why these machines need USB keys. I understand how the keys are being used, my point is: the machines should be designed differently. All the parts to the machine could be hard-wired with no removable items; this would eliminate a lot of the worries of contamination.

On a side note:
6 exclamation points, 4 question marks, caps lock, and poor use of the English language show immaturity. I can accept that perhaps public schools are no longer teaching the nuances of words like 'you're' and 'your' or simple use of an apostrophe, but "OMG YOUR A TARD" has no business in a serious discussion. Go troll lolcats.

Re: Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

Re: Re: Re: Oh no, Not again!

You seem to be missing the very point that you yourself pointed out at the end of your post. Do you realize how easy it is to volunteer to help with the elections? It wouldn't take much for someone wanting to do a lot of damage to simply volunteer to help out, and slip a corrupt key into the stash.
The skill comes from writing the malware...anyone can drop a USB key.
Are there problems with the paper ballot system? Yes, there are, and we need to fix them or get rid of paper ballots. Are there problems with the electronic ballot system? Yes, there are and they need to be fixed. The point of this article isn't to say that one technology is better than another. The point is that a technology that is widely used has a very real and very serious flaw. The first step to fixing any problem is to admit there's a problem.
Oh, by the way, if there are people out there that can break into bank vaults and walk away without the bank realizing anything has happened for several days, I'm fairly sure there are people who can sneak into a room and plant a couple keys.

Re: The Dem's have a rule: Either we Win or you cheated,

The typical Republican strategy: Attack first and with a bunch of inflammatory rhetoric so that you define the discussion, then anything the other person does in defense you can say "you're just a whiny bitch"
However Republicans never deal with, and in fact go out of their way to avoid, any actual facts of the situation, whatever that may be.
The truth is that The Republicans and their corporate whorefriends DID INDEED rig BOTH the 2000 and the 2004 elections in their favor, and there's LOTS of evidence that they did so (http://www.truthout.org/article/ten-ways-gop-is-now-stealing-ohio-vote and http://www.freepress.org/departments/display/19/2004/810, among MANY MANY other documented FACTS).
Of course, when presented with these facts, the Republicans will just start their usual rant about 'biased liberal media', despite the fact that over 90% of the media is owned by large corporations that are owned AND run by staunch republicans.
That the Republicans have been so successful is only due to the fact that they are a hive mind and stick together out of a bizarre manifestation of some sort of football-fan mentality, "our team right or wrong," while most democrats make an attempt to sound reasonable and to approach the subject rationally, which ends up only making them look weak, especially after another hefty dose of right-wing Rove-ian spin.
Republicans only come in two flavors: Incredibly stupid, ignorant sheep, or just plain evil.

Anything can be won.

Re:JustTheFacts

Oh, nice reply - all mindless generalization, no admission of any wrongdoing by Dems at all. You really think there haven't been any corrupt Dems in the entire history of this country?

Unless you've personally met and interacted with every single Republican in the country, you can't say they're all one thing or another thing. You can only say what you've encountered directly in your own personal experience. Anything more is baseless generalization and blanket statements.

Just so you know, I don't belong to either party, nor have I ever voted in any election. The system is broken, and the only way it can be fixed is if someone defies that very system, an independent who takes no contributions, entertains no lobbyists, does not rig votes, and uses no flowery, false prepared speeches. Someone who is not a politician, but a public servant, which is what holders of public office are supposed to be. George Washington warned in his farewell address against having political parties, but we didn't listen. And every generation since then has suffered for it.

Ugg

I'm SOOO sick if reading these idiotic comments that all boil down to "stop whining." Mostly, its a bunch of conservative jerkwads trying to paint Dems as complainy little children. Well guess what, complainers change the world. No amount of forcible cranial-rectal insertion will make the world a better place. Call me a whiner, call me a complainer, I don't really give a f***. I'm not a Dem, but I am a security expert, and these machines scare the living crap out of me. They barely work, they aren't even close to secure, and they could be used by anyone, probably on the local level, to affect the outcome of an election. This isn't a partisan issue, and you morons trying to make it one by accusing Dems of whining need to wake the f*** up. You must be great parents. I can see it now: "Mommy, Daddy beat me!" "Ugg, you're always complaining, stop whining."

Re: Arguing on the internet, duty calls.

Define "win." If you mean that you can't change people's minds, that is just plain wrong. It may be rare, but it happens, and I've been on both sides of that equation. This forum may not be the best example, but believe it or not, there are people out there who are willing to listen and learn, if that is, you have something valuable to contribute. Now, please stop trying to derail the conversation. Yes, you're terribly witty. Yes, you're smarter than all of us. Now, leave please :)

Ans to "Why only when dems win?"

If the republican always cheats, then they can never complain since it will also show their attempt or actual cheat.
There is no discussion of what happens when both cheat. It is probably that last one loaded that conquers. So, call it 50-50 chance which way the machine goes. Hence if p&q then no cry to complain.

If the democrat always cheats and the republican does not, then democrat wins. I.e., if p & not q then d. Republicans could complain, and maybe does.

If the republican always cheats and the democrat does not, then the republican wins. I.e., if not p & q then r. Democrats could complain, and often do.

Now look at the recent history and see what matches the logic best. You decide.

Re: Re: Re: Oh no, Not again!

Focus on the facts

In "Ugg" above, Jon states the point of this article, which we really should see is the focus here:

I'm not a Dem, but I am a security expert, and these machines scare the living crap out of me. They barely work, they aren't even close to secure, and they could be used by anyone, probably on the local level, to affect the outcome of an election.

History shows that elections may be falsified by a number of processes beyond the recording of a single person's vote. It shows that there are people who will subvert the system. Usually, it has little to do with technology.

The electronic voting machines are supposed to make most of the historic methods impossible, but they don't. Most of them, maybe, but certainly not all. Further, it makes it easier to create a mass vote modification attack possible for those same people and those even less intelligent because now you need one person to write the code and any number of people who are ignorant or easily bribed or righteous or have any other excuse, to insert the illegal fob into the controlled flow of the USB keys. It could be inserted any place from the creation of the original keys at the point of initiation to the final ballot places as seen in the first video.

We the people need to force a change to the current electronic voting machine processes, regardless of who wins!

Re: Re: The Dem's have a rule: Either we Win or you cheated, be it debates, elections...

There has never been an american election that was REAL. It matters not who anyone votes for. the winner is known well in advance...by the elites who hand picked them.... the argument about voting machines is a waste of mind power..